diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index acb061c26a..65dc1326e2 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -745,6 +745,10 @@ OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, OSSL_LIB_CTX *libctx, const char *propquery) { OSSL_DECODER_CTX *ctx = NULL; + OSSL_PARAM decoder_params[] = { + OSSL_PARAM_END, + OSSL_PARAM_END + }; DECODER_CACHE *cache = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_CACHE_INDEX); DECODER_CACHE_ENTRY cacheent, *res, *newcache = NULL; @@ -753,6 +757,9 @@ OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_OSSL_DECODER_LIB); return NULL; } + if (propquery != NULL) + decoder_params[0] = OSSL_PARAM_construct_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, + (char *)propquery, 0); /* It is safe to cast away the const here */ cacheent.input_type = (char *)input_type; @@ -794,7 +801,9 @@ OSSL_DECODER_CTX_new_for_pkey(EVP_PKEY **pkey, && OSSL_DECODER_CTX_set_input_structure(ctx, input_structure) && OSSL_DECODER_CTX_set_selection(ctx, selection) && ossl_decoder_ctx_setup_for_pkey(ctx, keytype, libctx, propquery) - && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery)) { + && OSSL_DECODER_CTX_add_extra(ctx, libctx, propquery) + && (propquery == NULL + || OSSL_DECODER_CTX_set_params(ctx, decoder_params))) { OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) Got %d decoders\n", (void *)ctx, OSSL_DECODER_CTX_get_num_decoders(ctx)); diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index ec7d74af5f..ed10e0fbc2 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -66,7 +66,8 @@ ASN1_SEQUENCE(X509_PUBKEY_INTERNAL) = { } static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL) X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp, - long len, OSSL_LIB_CTX *libctx) + long len, OSSL_LIB_CTX *libctx, + const char *propq) { X509_PUBKEY *xpub = OPENSSL_zalloc(sizeof(*xpub)); @@ -74,7 +75,7 @@ X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp, return NULL; return (X509_PUBKEY *)ASN1_item_d2i_ex((ASN1_VALUE **)&xpub, pp, len, ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL), - libctx, NULL); + libctx, propq); } void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub) diff --git a/include/crypto/x509.h b/include/crypto/x509.h index eaa43ba158..5765b9f719 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -336,7 +336,8 @@ int ossl_x509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq, ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY *pubkey); X509_PUBKEY *ossl_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp, - long len, OSSL_LIB_CTX *libctx); + long len, OSSL_LIB_CTX *libctx, + const char *propq); void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub); RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length); diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 5f094a32dc..45b39ed358 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -89,6 +89,7 @@ struct keytype_desc_st { */ struct der2key_ctx_st { PROV_CTX *provctx; + char propq[OSSL_MAX_PROPQUERY_SIZE]; const struct keytype_desc_st *desc; /* The selection that is passed to der2key_decode() */ int selection; @@ -109,7 +110,7 @@ static void *der2key_decode_p8(const unsigned char **input_der, if ((p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len)) != NULL && PKCS8_pkey_get0(NULL, NULL, NULL, &alg, p8inf) && OBJ_obj2nid(alg->algorithm) == ctx->desc->evp_type) - key = key_from_pkcs8(p8inf, PROV_LIBCTX_OF(ctx->provctx), NULL); + key = key_from_pkcs8(p8inf, PROV_LIBCTX_OF(ctx->provctx), ctx->propq); PKCS8_PRIV_KEY_INFO_free(p8inf); return key; @@ -120,6 +121,8 @@ static void *der2key_decode_p8(const unsigned char **input_der, static OSSL_FUNC_decoder_freectx_fn der2key_freectx; static OSSL_FUNC_decoder_decode_fn der2key_decode; static OSSL_FUNC_decoder_export_object_fn der2key_export_object; +static OSSL_FUNC_decoder_settable_ctx_params_fn der2key_settable_ctx_params; +static OSSL_FUNC_decoder_set_ctx_params_fn der2key_set_ctx_params; static struct der2key_ctx_st * der2key_newctx(void *provctx, const struct keytype_desc_st *desc) @@ -133,6 +136,28 @@ der2key_newctx(void *provctx, const struct keytype_desc_st *desc) return ctx; } +static const OSSL_PARAM *der2key_settable_ctx_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM settables[] = { + OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_END + }; + return settables; +} + +static int der2key_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + struct der2key_ctx_st *ctx = vctx; + const OSSL_PARAM *p; + char *str = ctx->propq; + + p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES); + if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq))) + return 0; + + return 1; +} + static void der2key_freectx(void *vctx) { struct der2key_ctx_st *ctx = vctx; @@ -755,6 +780,10 @@ static void rsa_adjust(void *key, struct der2key_ctx_st *ctx) (void (*)(void))der2key_decode }, \ { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ (void (*)(void))der2key_export_object }, \ + { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, \ + (void (*)(void))der2key_settable_ctx_params }, \ + { OSSL_FUNC_DECODER_SET_CTX_PARAMS, \ + (void (*)(void))der2key_set_ctx_params }, \ OSSL_DISPATCH_END \ } diff --git a/providers/implementations/encode_decode/decode_epki2pki.c b/providers/implementations/encode_decode/decode_epki2pki.c index 16fdc7945e..5dd13f5a92 100644 --- a/providers/implementations/encode_decode/decode_epki2pki.c +++ b/providers/implementations/encode_decode/decode_epki2pki.c @@ -26,12 +26,15 @@ static OSSL_FUNC_decoder_newctx_fn epki2pki_newctx; static OSSL_FUNC_decoder_freectx_fn epki2pki_freectx; static OSSL_FUNC_decoder_decode_fn epki2pki_decode; +static OSSL_FUNC_decoder_settable_ctx_params_fn epki2pki_settable_ctx_params; +static OSSL_FUNC_decoder_set_ctx_params_fn epki2pki_set_ctx_params; /* * Context used for EncryptedPrivateKeyInfo to PrivateKeyInfo decoding. */ struct epki2pki_ctx_st { PROV_CTX *provctx; + char propq[OSSL_MAX_PROPQUERY_SIZE]; }; static void *epki2pki_newctx(void *provctx) @@ -50,6 +53,28 @@ static void epki2pki_freectx(void *vctx) OPENSSL_free(ctx); } +static const OSSL_PARAM *epki2pki_settable_ctx_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM settables[] = { + OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_END + }; + return settables; +} + +static int epki2pki_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + struct epki2pki_ctx_st *ctx = vctx; + const OSSL_PARAM *p; + char *str = ctx->propq; + + p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES); + if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq))) + return 0; + + return 1; +} + /* * The selection parameter in epki2pki_decode() is not used by this function * because it's not relevant just to decode EncryptedPrivateKeyInfo to @@ -104,7 +129,8 @@ static int epki2pki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, if (!PKCS12_pbe_crypt_ex(alg, pbuf, plen, oct->data, oct->length, &new_der, &new_der_len, 0, - PROV_LIBCTX_OF(ctx->provctx), NULL)) { + PROV_LIBCTX_OF(ctx->provctx), + ctx->propq)) { ok = 0; } else { OPENSSL_free(der); @@ -154,5 +180,9 @@ const OSSL_DISPATCH ossl_EncryptedPrivateKeyInfo_der_to_der_decoder_functions[] { OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))epki2pki_newctx }, { OSSL_FUNC_DECODER_FREECTX, (void (*)(void))epki2pki_freectx }, { OSSL_FUNC_DECODER_DECODE, (void (*)(void))epki2pki_decode }, + { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, + (void (*)(void))epki2pki_settable_ctx_params }, + { OSSL_FUNC_DECODER_SET_CTX_PARAMS, + (void (*)(void))epki2pki_set_ctx_params }, OSSL_DISPATCH_END }; diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index cae1d9897a..5355cf11d6 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -24,6 +24,7 @@ #include /* For public PVK functions */ #include #include "internal/passphrase.h" +#include "internal/sizes.h" #include "crypto/pem.h" /* For internal PVK and "blob" headers */ #include "crypto/rsa.h" #include "prov/bio.h" @@ -49,12 +50,15 @@ struct keytype_desc_st { static OSSL_FUNC_decoder_freectx_fn pvk2key_freectx; static OSSL_FUNC_decoder_decode_fn pvk2key_decode; static OSSL_FUNC_decoder_export_object_fn pvk2key_export_object; +static OSSL_FUNC_decoder_settable_ctx_params_fn pvk2key_settable_ctx_params; +static OSSL_FUNC_decoder_set_ctx_params_fn pvk2key_set_ctx_params; /* * Context used for DER to key decoding. */ struct pvk2key_ctx_st { PROV_CTX *provctx; + char propq[OSSL_MAX_PROPQUERY_SIZE]; const struct keytype_desc_st *desc; /* The selection that is passed to der2key_decode() */ int selection; @@ -79,6 +83,28 @@ static void pvk2key_freectx(void *vctx) OPENSSL_free(ctx); } +static const OSSL_PARAM *pvk2key_settable_ctx_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM settables[] = { + OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_END, + }; + return settables; +} + +static int pvk2key_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + struct pvk2key_ctx_st *ctx = vctx; + const OSSL_PARAM *p; + char *str = ctx->propq; + + p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES); + if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq))) + return 0; + + return 1; +} + static int pvk2key_does_selection(void *provctx, int selection) { if (selection == 0) @@ -115,7 +141,8 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, goto end; key = ctx->desc->read_private_key(in, ossl_pw_pvk_password, &pwdata, - PROV_LIBCTX_OF(ctx->provctx), NULL); + PROV_LIBCTX_OF(ctx->provctx), + ctx->propq); /* * Because the PVK API doesn't have a separate decrypt call, we need @@ -247,6 +274,10 @@ static void rsa_adjust(void *key, struct pvk2key_ctx_st *ctx) (void (*)(void))pvk2key_decode }, \ { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ (void (*)(void))pvk2key_export_object }, \ + { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, \ + (void (*)(void))pvk2key_settable_ctx_params }, \ + { OSSL_FUNC_DECODER_SET_CTX_PARAMS, \ + (void (*)(void))pvk2key_set_ctx_params }, \ OSSL_DISPATCH_END \ } diff --git a/providers/implementations/encode_decode/decode_spki2typespki.c b/providers/implementations/encode_decode/decode_spki2typespki.c index e9f8dadb78..11f5426661 100644 --- a/providers/implementations/encode_decode/decode_spki2typespki.c +++ b/providers/implementations/encode_decode/decode_spki2typespki.c @@ -23,6 +23,8 @@ static OSSL_FUNC_decoder_newctx_fn spki2typespki_newctx; static OSSL_FUNC_decoder_freectx_fn spki2typespki_freectx; static OSSL_FUNC_decoder_decode_fn spki2typespki_decode; +static OSSL_FUNC_decoder_settable_ctx_params_fn spki2typespki_settable_ctx_params; +static OSSL_FUNC_decoder_set_ctx_params_fn spki2typespki_set_ctx_params; /* * Context used for SubjectPublicKeyInfo to Type specific SubjectPublicKeyInfo @@ -30,6 +32,7 @@ static OSSL_FUNC_decoder_decode_fn spki2typespki_decode; */ struct spki2typespki_ctx_st { PROV_CTX *provctx; + char propq[OSSL_MAX_PROPQUERY_SIZE]; }; static void *spki2typespki_newctx(void *provctx) @@ -48,6 +51,28 @@ static void spki2typespki_freectx(void *vctx) OPENSSL_free(ctx); } +static const OSSL_PARAM *spki2typespki_settable_ctx_params(ossl_unused void *provctx) +{ + static const OSSL_PARAM settables[] = { + OSSL_PARAM_utf8_string(OSSL_DECODER_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_END + }; + return settables; +} + +static int spki2typespki_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + struct spki2typespki_ctx_st *ctx = vctx; + const OSSL_PARAM *p; + char *str = ctx->propq; + + p = OSSL_PARAM_locate_const(params, OSSL_DECODER_PARAM_PROPERTIES); + if (p != NULL && !OSSL_PARAM_get_utf8_string(p, &str, sizeof(ctx->propq))) + return 0; + + return 1; +} + static int spki2typespki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) @@ -67,8 +92,8 @@ static int spki2typespki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, return 1; derp = der; xpub = ossl_d2i_X509_PUBKEY_INTERNAL((const unsigned char **)&derp, len, - PROV_LIBCTX_OF(ctx->provctx)); - + PROV_LIBCTX_OF(ctx->provctx), + ctx->propq); if (xpub == NULL) { /* We return "empty handed". This is not an error. */ @@ -120,5 +145,9 @@ const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_der_decoder_functions[] = { { OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))spki2typespki_newctx }, { OSSL_FUNC_DECODER_FREECTX, (void (*)(void))spki2typespki_freectx }, { OSSL_FUNC_DECODER_DECODE, (void (*)(void))spki2typespki_decode }, + { OSSL_FUNC_DECODER_SETTABLE_CTX_PARAMS, + (void (*)(void))spki2typespki_settable_ctx_params }, + { OSSL_FUNC_DECODER_SET_CTX_PARAMS, + (void (*)(void))spki2typespki_set_ctx_params }, OSSL_DISPATCH_END }; diff --git a/test/build.info b/test/build.info index 57bf3cea63..d897f726a8 100644 --- a/test/build.info +++ b/test/build.info @@ -1071,6 +1071,11 @@ IF[{- !$disabled{tests} -}] DEPEND[endecoder_legacy_test]=../libcrypto.a libtestutil.a ENDIF + PROGRAMS{noinst}=decoder_propq_test + SOURCE[decoder_propq_test]=decoder_propq_test.c + INCLUDE[decoder_propq_test]=.. ../include ../apps/include + DEPEND[decoder_propq_test]=../libcrypto.a libtestutil.a + PROGRAMS{noinst}=namemap_internal_test SOURCE[namemap_internal_test]=namemap_internal_test.c INCLUDE[namemap_internal_test]=.. ../include ../apps/include diff --git a/test/decoder_propq_test.c b/test/decoder_propq_test.c new file mode 100644 index 0000000000..aa374da74c --- /dev/null +++ b/test/decoder_propq_test.c @@ -0,0 +1,119 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "testutil.h" + +static OSSL_LIB_CTX *libctx = NULL; +static OSSL_PROVIDER *nullprov = NULL; +static OSSL_PROVIDER *libprov = NULL; +static const char *filename = NULL; +static pem_password_cb passcb; + +typedef enum OPTION_choice { + OPT_ERR = -1, + OPT_EOF = 0, + OPT_CONFIG_FILE, + OPT_PROVIDER_NAME, + OPT_TEST_ENUM +} OPTION_CHOICE; + +const OPTIONS *test_get_options(void) +{ + static const OPTIONS test_options[] = { + OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file\n"), + { "config", OPT_CONFIG_FILE, '<', + "The configuration file to use for the libctx" }, + { "provider", OPT_PROVIDER_NAME, 's', + "The provider to load (The default value is 'default')" }, + { OPT_HELP_STR, 1, '-', "file\tFile to decode.\n" }, + { NULL } + }; + return test_options; +} + +static int passcb(char *buf, int size, int rwflag, void *userdata) +{ + strcpy(buf, "pass"); + return strlen(buf); +} + +static int test_decode_nonfipsalg(void) +{ + int ret = 0; + EVP_PKEY *privkey = NULL; + BIO *bio = NULL; + + /* + * Apply the "fips=true" property to all fetches for the libctx. + * We do this to test that we are using the propq override + */ + EVP_default_properties_enable_fips(libctx, 1); + + if (!TEST_ptr(bio = BIO_new_file(filename, "r"))) + goto err; + + /* + * If NULL is passed as the propq here it uses the global property "fips=true", + * Which we expect to fail if the decode uses a non FIPS algorithm + */ + if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, NULL))) + goto err; + + /* + * Pass if we override the libctx global prop query to optionally use fips=true + * This assumes that the libctx contains the default provider + */ + if (!TEST_ptr_null(PEM_read_bio_PrivateKey_ex(bio, &privkey, &passcb, NULL, libctx, "?fips=true"))) + goto err; + + ret = 1; +err: + BIO_free(bio); + EVP_PKEY_free(privkey); + return ret; +} + +int setup_tests(void) +{ + const char *prov_name = "default"; + char *config_file = NULL; + OPTION_CHOICE o; + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_PROVIDER_NAME: + prov_name = opt_arg(); + break; + case OPT_CONFIG_FILE: + config_file = opt_arg(); + break; + case OPT_TEST_CASES: + break; + default: + case OPT_ERR: + return 0; + } + } + + filename = test_get_argument(0); + if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) + return 0; + + ADD_TEST(test_decode_nonfipsalg); + return 1; +} + +void cleanup_tests(void) +{ + OSSL_PROVIDER_unload(libprov); + OSSL_LIB_CTX_free(libctx); + OSSL_PROVIDER_unload(nullprov); +} diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t index 19541610a9..817c95ee64 100644 --- a/test/recipes/04-test_encoder_decoder.t +++ b/test/recipes/04-test_encoder_decoder.t @@ -25,7 +25,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); my $rsa_key = srctop_file("test", "certs", "ee-key.pem"); my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem"); -plan tests => ($no_fips ? 0 : 1) + 2; # FIPS install test + test +plan tests => ($no_fips ? 0 : 3) + 2; # FIPS install test + test my $conf = srctop_file("test", "default.cnf"); ok(run(test(["endecode_test", "-rsa", $rsa_key, @@ -47,5 +47,16 @@ unless ($no_fips) { "-pss", $pss_key, "-config", $conf, "-provider", "fips"]))); -} + my $no_des = disabled("des"); +SKIP: { + skip "DES disabled", 2 if disabled("des"); + ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem', + '-passout', 'pass:pass' ])), + "rsa encrypt using a non fips algorithm"); + + my $conf2 = srctop_file("test", "default-and-fips.cnf"); + ok(run(test(['decoder_propq_test', '-config', $conf2, + '-provider', 'fips', 'epki.pem']))); +} +}